Radboud University: Cybersecurity Act gives AIVD and MIVD more scope to act, increases supervision

The Dutch House of Representatives will be debating the ‘Cybersecurity Act’ soon. This law will give the General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) more opportunities for, for example, tapping internet traffic. Extra instruments of supervision will allow this to be done without it necessarily becoming cause for concern. Rowin Jansen, a PhD candidate at Radboud University’s Research Centre for State and Law, writes in a piece published today in Nederlands Juristenblad.

The logic behind the proposed Temporary act on investigations by AIVD and MIVD into countries with offensive cyber programmes (known as the ‘Cybersecurity Act’) is easy to follow, says Jansen. “The threat of cyber attacks from Russia and China, among others, has never been quite as real. For attackers, our digital infrastructure is an attractive and vulnerable target. The situation in Ukraine has also shown us how dire an emergency we are facing.”

“The Intelligence and Security Services Act 2017 (‘Wiv’, the framework within which the intelligence services function) did not give the AIVD and MIVD enough scope for properly monitoring the digital threat and taking adequate counter measures. Consequently we could end up with reduced insight into certain cyber actors.” The government hopes that the Cybersecurity Act will give these services more clout in the digital domain. Along with this widening of powers, the supervisory system is also being reformed. In recent years, there has been friction between the services and the supervisory bodies regarding the interpretation of statutory requirements.

In the previous system, every act in the cyber domain required prior review by the Review Board for the Use of Powers (Toelichtingscommissie Inzet Bevoegdheden, TIB). The new legislation involves an amendment of this prior review. “The front-end review will therefore be less probing,” says Jansen. “This is important, because when you run hacking operations at the front end you do not really know what you will encounter once you’re in. You can’t map out the progress of an operation like this in advance, yet that is what the Wiv requires. The Cybersecurity Act will allow the AIVD and MIVD to act more rapidly and therefore also more effectively to possible threats.”

Supervision not reduced, but transferred
Bits of Freedom and other privacy organisations are concerned about the new legislation, since supervision is being reduced in their opinion. Jansen: “I don’t think that is true. The government wants to transfer the supervision. It is true that there will be less intensive review at the front end, but at the back end there will be far more extensive opportunities for intervening in operations run by the services. The new legislation gives the Intelligence and Security Services Review Committee (CTIVD) binding decision-making power at the back end. This means that the CTIVD follows the entire process and can halt the operation at any moment if anything unlawful is identified. The CTIVD can also demand that all unlawfully collected data be destroyed. This means that there is robust supervision throughout the operational process. I would dare to say that at the least this compensates well for the reduced supervision at the front end.”

Basis for review of Wiv
Should there be a clash between the supervisory authority and the intelligence service, moreover, the matter could be brought before the Council of State. This is a new development. “In the future, the highest court in the Netherlands will be able to give judgment regarding the AIVD and MIVD, and will moreover be obliged to make certain aspects of the judgment public. There will be more freedom and transparency in this regard as well. Public decisions regarding secret services are very special, and are innovative in an international sense too.”

Although the Cybersecurity Act will be temporary, according to Jansen this law will probably form the basis for an extensive review of the Wiv which is due to take place in a few years. “These are the broad strokes of the new law, so it is important that we consider it well now. Regarding supervision in particular, a lot will be changing. In the recent past, the Wiv involved an excessive tightening of the screws, for the intelligence services as well as for the supervisors. Supervision does need to cause some friction, it’s true, but I think this new act will better serve our national security.”

In practice
Jansen has doubts about whether the Cybersecurity Act will function well in practice. Two separate, partly diverging statutory regimes could be applied to cyber operations at the same time. “Isn’t that a recipe for problems? I’m tempted to say: be careful what you wish for.”

What’s more, the system of supervision, which was complicated enough when it involved two supervisors, will become even more complex. “It’s quite possible that the operational speed and agility of the services may increase, just as the government hopes, but it’s equally possible that the strained relationship between the services and the supervisors will be exacerbated by this further formalisation.” Whether or not the new system works will therefore depend on the extent to which the services and the supervisors are willing to work together constructively.